Using OIDC Trusted Publishing, the first attempt to publish from a maintenance branch fails

[svanherk]

This problem was found testing out the beta release for OIDC trusted publishing (now officially released) and there's some more context in that issue.

When set up to use the new OIDC trusted publishing with npm, the first release on a maintenance branch (ex. 1.32.x) fails with the following error:

[semantic-release] [@semantic-release/npm] › ℹ  Adding version 1.32.0 to npm registry on dist-tag release-1.32.x
npm error code E401
npm error 401 Unauthorized - PUT https://registry.npmjs.org/-/package/<package>/dist-tags/release-1.32.x

Steps to reproduce:

1. Create a fresh patch maintenance branch (like 1.32.x)
2. Merge a fix: commit to that branch
3. Get to the Start step "addChannel" of plugin "@semantic-release/npm" step of the release workflow
4. Get the error above
5. Merge another commit to that branch, and get a successful release and publish

@travi already confirmed seeing the same behavior.

Opening the issue here, but it sounds like this is likely an npm issue.

[svanherk]

Been following along in npm/cli#8547, but no acknowledgement yet on any planned work/fix.